Solved

Audit Failure event in security logs of Domain controller

Posted on 2010-09-23
11
829 Views
Last Modified: 2013-12-04
Hi,

I am checking some security event logs on the domain controller and what I am seeing is a lot of Audit failure logs. The surprising thing is that these audit failure events are coming from the only computers on the network which are on the same network BUT NOT ON DOMAIN. I am not sureif it is a particular type of bot or virus attack.

Any suggestions?
0
Comment
Question by:TheCommunicator
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 200 total points
ID: 33746685
It depends highly on what type of auditing is going on. Can you post one of the events, please?
0
 

Author Comment

by:TheCommunicator
ID: 33747517
It says Login failed. It looks like somebody from this machines is trying to actually login to Domain controller. I am not sure whether this is for real or something else is being masked as Login failure.


I am attaching the snapshot

Audit-Failure.png
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 200 total points
ID: 33748538
This site has some more detailed information on that event: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
This could be caused by a service account that is configured to run some software on the computers that are being reported having incorrect credentials. There are also a number of other reasons this could be showing up. Check the Substatus code and compare it to the ones listed at the link I gave and it should give you more information.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 66

Expert Comment

by:johnb6767
ID: 33765407
Any persistent mappings from those systems using domain creds?

0
 

Author Comment

by:TheCommunicator
ID: 33765643
Oh yes actually these computers browse to some of the folders on these servers.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
ID: 33766689
Id check for stored passwords, that are out of date....
0
 

Author Comment

by:TheCommunicator
ID: 33767238
Can you please explain? stored password which are out of date?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
ID: 33775469
If these non domain users have mappings that are done to your domain servers, then they might have stored passwords cached in their systems.....

start>run>control keymgr.dll

Check to see if any passwords exist for your servers on one of those systems....
0
 

Author Comment

by:TheCommunicator
ID: 33792152
Well, i checked. They do not use any credential manager facility.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
ID: 33795366
Whats the Logon Type Code in your errors?

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Will reveal mnore about the source of the failure....
0
 

Author Comment

by:TheCommunicator
ID: 33825404
It is Logon type 3.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Active Directory Upgrade from 2008 to 2012 21 55
RMS / DRM - differences? 3 51
Powershell Script - Set Windows Updates 2 32
Windows 10 ISO build version 3 52
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question